search

mozilla / openbadges-backpack

Mozilla Open Badges Backpack
https://backpack.openbadges.org/
Other
862 stars 263 forks source link

Issuer should be listed as a domain, not an untrusted string passed in from issuer #862

Open toolness opened 11 years ago

toolness commented 11 years ago

Currently it looks like the issuer is displayed as whatever string was passed in by the issuer, e.g.:

screen shot 2013-05-08 at 4 40 16 pm

This is also the case in newer mockups of what the backpack might look like:

screen shot 2013-05-08 at 4 39 45 pm

However, this means that evil.org could just issue badges saying they're from Harvard, and it'd show up as such, so long as the image submitted by evil.org looked professional enough.

In the future perhaps we could look at the Extended Validation Certificate provided by the site if an assertion is hosted over SSL, and use this to provide a more human-friendly and verified name for the issuer, like browsers do:

However, we currently don't have a mechanism to do this, and for all I know there might be security issues with it (@brianloveswords would know). In the meantime, we should probably stick with always showing the domain name of an issuer, rather than blindly propagating whatever it wants to be called.

For future reference, I think this is a violation of the Identifiability principle of Ka Ping-Yee's Secure Interaction Design guidelines.

threeqube commented 11 years ago

I'm of 2 minds about this. I totally understand the reason why we should point to the domain but the string name is much more human readable and friendly to view. If evil.org issues a badge that passes a string that says "Harvard" upon quick inspection of the badge, (clicking it), it'll be evident that that badge was issued by evil.org as opposed to harvard.edu and that I think might be good enough, no?

cmcavoy commented 11 years ago

This has been something we've talked about for a long time. Anyone can set up a domain http://harvardrocks.tv and start issuing badges as 'Harvard'. There's always going to be a step where someone needs to verify the badge. Part of verification needs to be following the assertion or public key (for signed assertions) trail to a trusted source.

I like the idea of increased security (@toolness ' SSL flow), and also making the domain name more prominent, or at least easier to verify visually without having to dive into the metadata.

In other words, :+1: to,

we should probably stick with always showing the domain name of an issuer, rather than blindly propagating whatever it wants to be called.

Just with the addition that the more readable version should sit next to the domain name.

threeqube commented 11 years ago

:+1: Sounds great to me.

iamjessklein commented 11 years ago

I agree with @toolness and @cmcavoy - this issue has been discussed for a while we should prioritize this as it is a security flaw.

kayaelle commented 11 years ago

Hey there - just found this thread. Yesterday I submitted #896 - Assertion IssuerOrganization url only recognizing root domain.

When this change is made, can the Issuer Organization url (which should be verifiable) be used rather than just the root url?

Thanks